UK national cyber attack response and investigation is a well-defined and rehearsed process, but the responsible agencies say they are building more capability and closing the gaps
The UK’s National Crime Agency (NCA), National Police Chiefs’ Council (NPCC) and National Cyber Security Centre (NCSC) are tasked with responding to different aspects of cyber attacks.
“Of course these areas overlap, but that is why we work so closely together on a formal basis and daily through our investigators working together and talking to each other,” said Oliver Gower, deputy director of the NCA and head of the NCA’s National Cyber Crime Unit (NCCU).
The NCA investigates the most serious and complex attacks hitting the UK, and coordinates and supports the entire UK policing response and provide specialist high-end technical support to that response, at a national or a regional level.
The NCSC, which is part of GCHQ, protects critical services from cyber attacks, steps in to help victims mitigate the effect of attacks and manage major cyber incidents, and improves UK internet security.
Police regional organised crime units (ROCUs) lead investigations into multi-jurisdictional cyber crime, and have dedicated roles to prevent cyber crime and to increase the overall level of resilience in their region. They are resourced by local police forces, but operate as standalone teams at a regional level.
At the local level, policing leads the response to cyber crime, investigating cases referred by the National Fraud Intelligence Bureau (NFIB), distributing advice to victims and the vulnerable, and feeding the national intelligence picture.
“When it comes to cyber incidents that affect critical infrastructure, the economy or significant members of the public, the response follows a very well-rehearsed process, with central coordination of reporting and tasking,” said Gower.
Action Fraud, which is part of the City of London Police and sits alongside the NFIB, is the national reporting portal for both industry and the public, and operates an around-the-clock helpline for businesses, charity and organisations that are under attack.
“Action Fraud triages reports and refers serious cyber incidents to the NCA, although in some cases reporting comes directly to the NCA from the NCSC or industry, but no matter what door a victim uses, they enter the same ‘hallway’ because our organisations and agencies are so well connected,” said Gower.
In the NCA’s NCCU, there is a triage, incident and co-ordination unit (Ticat), which sits at the centre of the network of ROCUs and decides whether investigations should be led by the NCA or a ROCU investigation team, while keeping the NCSC informed so it can advise on mitigation and protection.
“So we don’t have people going out at a local or regional level who do not understand the bigger picture and don’t understand the nature of what they are dealing with because all of that is joined up, and, at the same time, the ROCUs provide feedback to the NCSC to inform the overall picture of threats facing the UK,” said Gower.
The central tasking processes, he said, are reviewed by the NCA and the NPCC on a monthly basis to ensure the right resources are focused on the right priorities.
Working together on WannaCry
According to Gower, this model was well-tested during the WannaCry attack in which the NCA led the criminal investigation, while the NCSC developed advice on limiting damage, protecting uninfected computers, and establishing the scale of the incident. “We had very clear roles and responsibilities in working together on WannaCry,” he added.
Under the NCA coordination of law enforcement in response to WannaCry, ROCU and NCA teams were deployed to NHS sites to engage with victims, taking advice from the NCSC about how best to help. “While the emphasis was on mitigation, there were also opportunities to gather evidence,” said Gower.
City of London Police focused on issuing advice on how to protect computers to the public and to businesses, especially small to medium-sized enterprises (SMEs). “There was also a focus on keeping their reporting function up and running with the right level of resources to meet a high level of demand,” said Gower.
The National Police Operations Centre worked very closely with the NCA, briefing police chiefs on behalf of the NCA, and was also on standby to mobilise forces if the situation deteriorated, he said.
“By coordinating our response in that way, we are able to effectively and efficiently deal with cyber threats and live cyber incidents. We have a model that works in dealing with 21st volume and internet-enabled crime, where the infrastructure, victims and criminals are all in different places, and there is no point in investigating events in isolation,” said Gower.
“That’s why the NCA has officers in the US Secret Service, the FBI, Europoland Interpol, helping to join up not just the national or domestic response, but to link that internationally, which is very important when it comes to things like WannaCry and NotPetya,” he said.
Hub and spoke model ‘effective’ against cyber crime
Talking of the nature of the threat, Gower said traditional crime has become cyber-enabled, attackers and victims no longer need to be in the same place, that the lines are blurring between state and criminal activity, and that criminals are increasingly looking to exploit vulnerabilities in legacy systems and third parties in the supply chain of target organisations.